Cisco 400-007 Exam With Confidence Using Practice Dumps

In IPv6, routers advertise prefixes via Router Advertisement (RA) messages. An attacker could inject rogue RAs to manipulate the IPv6 configuration of endpoints.

Router Advertisement Guard (RA Guard) blocks unauthorized RA messages from being received on access ports, preventing endpoints from receiving incorrect IPv6 prefixes from malicious or misconfigured devices.

This security feature is crucial when devices have IPv6 enabled but the network is IPv4-only.

Other options explained:

A: Source Guard and Prefix Guard enforce valid address and prefix assignment but do not prevent RA spoofing directly.

C: Prefix Guard focuses on controlling prefixes being assigned, not blocking RA messages.

D: Secure Neighbor Discovery (SEND) provides cryptographic protection but is rarely deployed due to complexity.

Comprehensive and Detailed Explanation From Exact Extract of Design Expert (CCDE)

Summarization reduces control plane state by abstracting detailed route information. As packets move further away from the destination subnet, the network advertises summarized prefixes instead of individual host or subnet routes, minimizing control plane overhead and routing table size. This helps scale large networks and improves convergence times.

While aggregation and summarization are related, summarization specifically refers to the propagation of route prefixes and their abstraction — making it the precise fit for this question.

C (Transparent firewall): Operates at Layer 2, allowing filtering and inspection of traffic within the same subnet without requiring IP routing changes. It performs deep packet inspection while maintaining Layer 2 adjacency, making it ideal for intra-subnet traffic control in data centers.

This allows security segmentation inside broadcast domains, enforcing security policies even for east-west traffic.

Other options explained:

A: Routed firewalls require subnet boundaries and are not ideal for intra-subnet control.

B: VLAN ACLs provide basic filtering but lack deep packet inspection capabilities.

D: Zone-based firewalls are primarily designed for inter-subnet (Layer 3) traffic segmentation.